|The BitLocker paper
||[Sep. 10th, 2008|08:33 am]
In the most recent CyberSpeak podcast I was interviewed about several topics including my work with Microsoft's BitLocker Drive Encryption. It's a great interview and I highly recommend it. Here are three additional resources on BitLocker.
First, you can check out my slides from the Open Memory Forensics Workshop. These detail how to find BitLocker keys in memory images, along with my interpretation of "tool marks" in computer forensics.
Second, you can now read my paper about BitLocker's key management system. (The paper has been submitted to Digital Investigation and has not been published previously.) The paper documents how to use each kind of key to decrypt the protected data. It also covers some parts of the key management system which I don't know why Microsoft included. Even with those parts included, however, I do not think there are any backdoors in BitLocker. Here's the abstract
This paper provides details necessary, given the correct keys, to access the protected data on volumes encrypted with Microsoft's BitLocker Drive Encryption. Although Microsoft published some of the BitLocker specifications there were details left out, particularly those regarding key management. Examples are given to demonstrate the cryptographic modes claimed. The author is not aware of any backdoors in the BitLocker system, meaning forensic examiners must obtain the necessary encryption keys to access a protected volume. There are, however, some unanswered questions about how the cryptosystem was designed and operates, including an undocumented key management decision.Finally, the patient among you can wait for my presentation, "Practical Methods for Dealing with Full Disk Encryption" at the 2009 DoD Cyber Crime Conference. The conference will once again be held at the end of January in St. Louis, MO. Bring your mittens!